On 2025-06-17 at 22:35 +0200, Sebastian Nielsen via mailop wrote: > The problem with your argument that firewalls shouldn't touch DNS > response packets, is problematic,
> as DNS rebinding is a new threat, I wouldn't call a <s>2007</s><ins>1996</ins> attack a "new threat" :) > where a malicious actor on the internet, have a link, lets say, > 039840684084.example.org for which a malicious DNS server first will > respond with the real IP adress, and then it will respond with for > example, 127.0.0.1 > Then it bypasses CORS protection in the browser, and the malicious > site, is able to edit for example settings in local devices (for > example many 4G modems are managed through localhost) but also, it > can respond with another private adress to access routers and such. > > The reason it bypasses CORS protection in browser is because, from > the browser's point of view, 039840684084.example.org is same as > 039840684084.example.org, regardless which IP it actually resolves > to, giving the malicious actor same-origin access to the local host > and the malicious actor can use a malicious javascript to edit local > settings or access devices. I suspect devices such as IoT, modems or routers are the ones where this is practical. Most "serious" applications would be enforcing their own Host: (and using https!), which would make them immune. > The firewall's job is to protect the network against threats, and > thus, its totally legit to drop DNS response packets from WAN side > which contains unrouteable IP adresses. The job of a Firewall used to be more simple. Admittingly, "modern firewalls" seem to have taken upon themselves so many functions, which sometimes then result in hard-to-diagnose errors due to the firewall being "too smart". In the case of DNS rebinding attacks, I would say the proper place to protect from them would be in the browsers themselves (which, AFAIK, already contain some measures in place). Do you foresee any other app being vulnerable? Regards _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
